Analysis
-
max time kernel
124s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 18:20
General
-
Target
06f3d2aef65a1dd0f086c29bb0af678f570b1d76ee45c4ecc13994738bf2ea4e.exe
-
Size
184KB
-
MD5
8a0bb6cf20778dd7302567394b9bcba3
-
SHA1
a37d9c5bbcdeeedcfd2a5bd408636d6beac2beb2
-
SHA256
06f3d2aef65a1dd0f086c29bb0af678f570b1d76ee45c4ecc13994738bf2ea4e
-
SHA512
781f38b430b287846a4fc2c77adcdeb5da66c1bc52ab3906cf65adb3cfd4dbf7427310d08c8698fce4354e1a45a5ce32ca410e708a26e9c37ebef175be6b6077
-
SSDEEP
3072:W4/Wd8bsXQJl5vgl8MpvnNHOV9MdtZC+KPfH5Qzd:W4/23XQJovNO9M7ZWPfH5Qzd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs
-
UPX dump on OEP (original entry point) 39 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\06f3d2aef65a1dd0f086c29bb0af678f570b1d76ee45c4ecc13994738bf2ea4e.exe"C:\Users\Admin\AppData\Local\Temp\06f3d2aef65a1dd0f086c29bb0af678f570b1d76ee45c4ecc13994738bf2ea4e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\PCHealth.exeFilesize
184KB
MD58a0bb6cf20778dd7302567394b9bcba3
SHA1a37d9c5bbcdeeedcfd2a5bd408636d6beac2beb2
SHA25606f3d2aef65a1dd0f086c29bb0af678f570b1d76ee45c4ecc13994738bf2ea4e
SHA512781f38b430b287846a4fc2c77adcdeb5da66c1bc52ab3906cf65adb3cfd4dbf7427310d08c8698fce4354e1a45a5ce32ca410e708a26e9c37ebef175be6b6077
-
F:\ffctw.exeFilesize
97KB
MD5e76f99448ab5b880b19d1dfc2136476f
SHA1d8076dd65ca52e8da78baaf82693aad0f459bc99
SHA25604fac0d087b08aa4db61eaced59c7526d3cca2840caf2af17dbe6fb86edd519d
SHA5122463d1dd98dd6d6e7708735766db86045df17fd32f861e600a0c255793151726a954e4f56af2422a3c15433d638fc95571e56a15753e48c27bc929aae9744fe6
-
memory/4240-41-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-93-0x00000000021C0000-0x00000000021C2000-memory.dmpFilesize
8KB
-
memory/4240-30-0x00000000021C0000-0x00000000021C2000-memory.dmpFilesize
8KB
-
memory/4240-46-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-4-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-27-0x00000000021C0000-0x00000000021C2000-memory.dmpFilesize
8KB
-
memory/4240-16-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-6-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-32-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-14-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-28-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-31-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-29-0x00000000021E0000-0x00000000021E1000-memory.dmpFilesize
4KB
-
memory/4240-33-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-34-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-35-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-36-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-48-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-38-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-40-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-0-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4240-42-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-5-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-7-0x00000000021C0000-0x00000000021C2000-memory.dmpFilesize
8KB
-
memory/4240-37-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-50-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-53-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-54-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-58-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-59-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-66-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-68-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-70-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-73-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-74-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-76-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-78-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-80-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-82-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-84-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-87-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-88-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-92-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-47-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB
-
memory/4240-1-0x0000000002960000-0x0000000003A1A000-memory.dmpFilesize
16.7MB